Stage GE MachineAuth profiles at imaging time (AESFMA auto-join)

Hypothesis test for WJ Phase 2 stuck issue. GE Report IP script
filters Get-NetIPAddress on StartsWith("10.") - WJ bays don't see
ANY 10.x because:
 - PXE LAN is 10.9.100.x (we'd disable wired anyway to avoid leak)
 - Internet WiFi at site is 172.16.x (filter rejects)
 - AESFMA corp WiFi (10.x) requires machine cert that Intune SCEP
   provisions a few minutes AFTER PPKG enrollment

Result: Report IP webhook gets nothing -> GE backend never sees the
bay -> bay never enters the dynamic group that SFLD policy is
assigned to. Other GE sites work because their corp WiFi/wired is
on a real 10.x corp network and the script always finds a 10.x to
report.

Drop the MA package (8021x.xml + AESFMA.xml + multi-NIC bat) onto
each bay early in Run-ShopfloorSetup, run MA4NetworkConfigv2.bat to
import both profiles to every physical wired + wireless adapter.
AESFMA.xml patched to connectionMode=auto (default V02 was manual)
so WLAN service auto-joins as soon as the SCEP cert lands. Bay
gets a real 10.x corp address. Report IP webhook fires cleanly.

Profile XMLs (8021x.xml, AESFMA.xml, BLUESSO.xml, WiFi-Profile.xml,
*.wlanprofile, *.lanprofile) added to .gitignore - they contain
GE-internal SSID + trusted-root thumbprint and are staged on the
PXE enrollment share at /srv/samba/enrollment/MachineAuth/ instead
of git.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -82,6 +82,16 @@ secrets.yml
 *_secrets
 credentials.json
 
+# GE-internal WiFi / 802.1X profiles - contain SSID + trusted-root thumbprint.
+# Staged on PXE share at /srv/samba/enrollment/MachineAuth/ and copied to
+# bays during imaging. Never check these into git.
+AESFMA.xml
+8021x.xml
+BLUESSO.xml
+WiFi-Profile.xml
+*.wlanprofile
+*.lanprofile
+
 # Pre-staged binary (142 MB) - track via LFS or stage on PXE server, not in regular git
 playbook/shopfloor-setup/Shopfloor/PrinterInstallerMap.exe
 

playbook/shopfloor-setup/Run-ShopfloorSetup.ps1

@@ -41,6 +41,38 @@ function Report-Stage {
 }
 Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2
 
+# ---- Pre-stage GE Machine Auth (802.1X / AESFMA WiFi) profiles ----
+# Drops the V02 MA package (8021x.xml + AESFMA.xml + bat) to a known
+# location and imports profiles to every physical wired/wireless NIC.
+# Profile XML is GE-internal (Intune-managed PSK + RADIUS root CA
+# thumbprint) so it lives on the PXE enrollment share, NOT git.
+#
+# Effect: bay has the AESFMA WiFi profile ready (connectionMode=auto).
+# Once Intune SCEP cert provisioning lands (a few minutes after PPKG
+# enrollment), the WLAN service auto-joins AESFMA and the bay gets a
+# real GE corp 10.x address. GE Report-IP script then sees that 10.x,
+# POSTs cleanly to the webhook, dynamic group eligibility flips, SFLD
+# ConfigurationProfile delivers, Phase 2 completes naturally.
+$maShare = '\\10.9.100.1\enrollment\MachineAuth'
+$maLocal = 'C:\Windows\Options\Packages\GEAerospace_MA_4x1_V02'
+if (Test-Path -LiteralPath $maShare) {
+    try {
+        if (-not (Test-Path $maLocal)) { New-Item -ItemType Directory -Path $maLocal -Force | Out-Null }
+        Copy-Item -Path (Join-Path $maShare '*') -Destination $maLocal -Recurse -Force -ErrorAction Stop
+        $maBat = Join-Path $maLocal 'MA4NetworkConfigv2.bat'
+        if (Test-Path -LiteralPath $maBat) {
+            Write-Host "Running MA4NetworkConfigv2.bat (imports 8021x + AESFMA profiles)..."
+            Start-Process -FilePath 'cmd.exe' -ArgumentList '/c', "`"$maBat`"" -Wait -NoNewWindow -ErrorAction SilentlyContinue
+        } else {
+            Write-Warning "MA bat not at $maBat - profiles NOT imported."
+        }
+    } catch {
+        Write-Warning "MachineAuth stage failed: $_"
+    }
+} else {
+    Write-Warning "MachineAuth share not reachable at $maShare - skipping profile import."
+}
+
 # AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
 # Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
 # nukes the lockdown-configured ShopFloor autologon later in the chain.